26 The Statement on Standards for Attestation Engagements (SSAE) 18 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). As an investor, when reviewing SOC reports for a cloud provider, which report would you most like to see?SOC 1SOC 2, Type 1SOC 2, Type 2SOC 3
27 The Statement on Standards for Attestation Engagements (SSAE) 18 Service Organization Control (SOC) reports are audit tools promulgated by the American Institute of Certified Public Accountants (AICPA). You are an IT security professional working for an organization that is considering migrating from your on-premises environment into the cloud. Assuming some have passed SSAE 18 audits and some haven’t, which SOC report might be best to use for your initial review of several different cloud providers in order to narrow down the field of potential services in a fast, easy way?SOC 1SOC 2, Type 1SOC 2, Type 2SOC 3
28 Which of the following entities would not be covered by the Payment Card Industry Data Security Standard (PCI DSS)?A bank issuing credit cardsA retailer accepting credit cards as paymentA business that processes credit card payments on behalf of a retailerA company that offers credit card debt repayment counseling
29 What sort of legal enforcement may the Payment Card Industry (PCI) Security Standards Council not bring to bear against organizations that fail to comply with the Payment Card Industry Data Security Standard (PCI DSS)?FinesJail timeSuspension of credit card processing privilegesSubject to increased audit frequency and scope
30 The Payment Card Industry Data Security Standard (PCI DSS) merchant levels are based on _______________.Dollar value of transactions over the course of a yearNumber of transactions over the course of a yearLocation of the merchant or processorDollar value and number of transactions over the course of a year
31 In terms of greatest stringency and requirements for security validation, which is the highest merchant level in the Payment Card Industry (PCI) standard?1234
32 The Payment Card Industry Data Security Standard (PCI DSS) requires _______________ security requirements for entities involved in credit card payments and processing.TechnicalNontechnicalTechnical and nontechnicalNeither technical nor nontechnical
33 According to the Payment Card Industry Data Security Standard (PCI DSS), if a merchant is going to store credit cardholder information for any length of time, what type of security protection must be used?Tokenization or maskingObfuscation or tokenizationMasking or obfuscationTokenization or encryption
34 What element of credit cardholder information may never be stored for any length of time, according to the Payment Card Industry Data Security Standard (PCI DSS)?The full credit card numberThe card verification value (CVV)The cardholder’s mailing addressThe cardholder’s full name
35 When reviewing IT security products that have been subjected to Common Criteria certification, what does the Evaluation Assurance Level (EAL) tell you?How secure the product is from an external attackHow thoroughly the product has been testedThe level of security the product delivers to an environmentThe level of trustworthiness you can have if you deploy the product
36 Which Common Criteria Evaluation Assurance Level (EAL) is granted to those products that are functionally tested by their manufacturer/vendor?1357
37 Which Common Criteria Evaluation Assurance Level (EAL) is granted to those products that are formally verified in terms of design and tested by an independent third party?1357
38 Who pays for the Common Criteria certification of an IT product?National Institute of Standards and Technology (NIST)The vendor/manufacturerThe cloud customerThe end user
39 Who publishes the list of cryptographic modules validated according to the Federal Information Processing Standard (FIPS) 140-2?The U.S. Office of Management and Budget (OMB)The International Standards Organization (ISO)International Information System Security Certification Consortium, or (ISC)2The National Institute of Standards and Technology (NIST)
40 Who performs the review process for hardware security modules (HSMs) in accordance with the Federal Information Processing Standard (FIPS) 140-2?The National Institute of Standards and Technology (NIST)The National Security Agency (NSA)Independent (private) laboratoriesThe European Union Agency for Network and Information Security (ENISA)
41 In terms of the number of security functions offered, which is the highest Federal Information Processing Standard (FIPS) 140-2 security level a cryptographic module can achieve in certification?1234
42 What distinguishes the Federal Information Processing Standard (FIPS) 140-2 security levels for cryptographic modules?The level of sensitivity of data they can be used to protectThe amount of physical protection provided by the product, in terms of tamper resistanceThe size of the IT environment the product can be used to protectThe geographic locations in which the product is allowed
43 For U.S. government agencies, what level of data sensitivity/classification may be processed by cryptographic modules certified according to the Federal Information Processing Standard (FIPS) 140-2 criteria?Sensitive but unclassified (SBU)SecretTop SecretSensitive Compartmentalized Information (SCI)
44 Who pays for cryptographic modules to be certified in accordance with Federal Information Processing Standard (FIPS) 140-2 criteria?The U.S. governmentModule vendorsCertification laboratoriesModule users
45 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. What is probably the single most important way of countering the highest number of items on the OWASP Top Ten (regardless of year)?Social engineering trainingDisciplined coding practices and processesWhite-box source code testingPhysical controls at all locations at which the application is eventually used
46 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “injection.” In most cases, what is the attacker trying to do with an injection attack?Get the user to allow access for the attacker.Insert malware onto the system.Trick the application into running commands.Penetrate the facility hosting the software.
47 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list usually includes “injection.” In most cases, what is the method for reducing the risk of an injection attack?User trainingHardening the OSInput validation/bounds checkingPhysical locks
48 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is a good method for reducing the risk of broken authentication and session management?Do not use custom authentication schemes.Implement widespread training programs.Ensure that strong input validation is in place.Use X.400 protocol standards.
49 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management?Session identification exposed in URLsUnprotected stored credentialsLack of session timeoutFailure to follow Health Insurance Portability and Accountability Act (HIPAA) guidance
50 The Open Web Application Security Project (OWASP) Top Ten is a list of web application security threats that is created by a member-driven OWASP committee of application development experts and published approximately every 24 months. The OWASP Top Ten list often includes “broken authentication and session management.” Which of the following is not a practice/vulnerability that can lead to broken authentication and infringe on session management?Failure